Update 1/19: Apple is working on a fix, according to a Github post.
Just days after Apple patched a bug that could allow a hacker to send your iPhone into an endless loop of crashes, FingerprintJS has uncovered a Safari vulnerability that could expose your internet activity and personal data to an open website.
The bug originates in the IndexedDB API, which is used for client-side storage of significant amounts of structured data, according to Mozilla. As FingerprintJS explains, since IndexedDB is a low-level API used by all major browsers, many developers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”
As such, Safari’s version of IndexedDB is violating the same-origin security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins, according to FingerprintJS. Consequently, arbitrary websites could spy on the other websites a user visits in different tabs or windows.
Since some websites use unique user-specific identifiers in database names, FingerprintJS explains that authenticated users can be “uniquely and precisely identified” by sites such as YouTube, Google Calendar, and Google Keep. And since you’ll be logged in to those sites using your Google ID, the databases created for that account could be leaked, which include personal information. FingerprintJS uncovered several other sites vulnerable to the bug, including Twitter and Bloomberg.
According to a Webkit post on Github (spotted by 9to5Mac), Apple is aware of the issue and working on a fix.